added stuff

2024-04-09 23:11:33 +02:00 · 2024-04-09 23:11:33 +02:00 · 236b8c2a6b
commit 236b8c2a6b
parent 937f28770d
907 changed files with 70990 additions and 0 deletions
--- a/nyx/modules/core/common/system/containers/alpha/default.nix
+++ b/nyx/modules/core/common/system/containers/alpha/default.nix
@ -0,0 +1,86 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  inherit (lib) mkIf;
+
+  hostConfig = config;
+in {
+  config = mkIf (builtins.elem "alpha" config.modules.system.containers.enabledContainers) {
+    systemd = {
+      services."container@alpha".after = ["container@firewall.service"];
+      tmpfiles.rules = [
+        "D /srv/containers/home 755 root root"
+      ];
+    };
+
+    containers."alpha" = {
+      autoStart = false;
+      enableTun = true;
+      ephemeral = true;
+      privateNetwork = true;
+      localAddress = "10.1.0.1";
+      hostAddress = "10.1.0.2";
+      config = _: {
+        _module.args = {inherit lib;};
+        nixpkgs.pkgs = pkgs;
+
+        system.stateVersion = "23.05";
+
+        users = {
+          groups.alpha = {};
+          users.alpha = {
+            isNormalUser = true;
+            extraGroups = ["alpha"];
+            home = "/home/alpha";
+            createHome = true;
+            initialPassword = "alpha";
+          };
+        };
+
+        environment.systemPackages = with pkgs; [
+          gcc
+          openjdk17_headless
+          gitMinimal
+        ];
+
+        networking.interfaces.ve-alpha = {
+          useDHCP = true;
+          ipv4 = {
+            addresses = [
+              {
+                address = "10.1.0.1";
+                prefixLength = 32;
+              }
+            ];
+            routes = [
+              {
+                address = "10.1.0.2";
+                prefixLength = 32;
+                options = {src = "10.1.0.1";};
+              }
+            ];
+          };
+        };
+      };
+
+      bindMounts = {
+        "/home" = {
+          hostPath = "/srv/containers/home";
+          isReadOnly = false;
+        };
+
+        "/run/systemd/ask-password" = {
+          hostPath = "/run/systemd/ask-password";
+          isReadOnly = false;
+        };
+        "/run/systemd/ask-password-block" = {
+          hostPath = "/run/systemd/ask-password-block";
+          isReadOnly = false;
+        };
+      };
+    };
+  };
+}
--- a/nyx/modules/core/common/system/containers/beta/default.nix
+++ b/nyx/modules/core/common/system/containers/beta/default.nix
@ -0,0 +1,99 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf;
+in {
+  config = mkIf (builtins.elem "beta" config.modules.system.containers.enabledContainers) {
+    containers."beta" = {
+      autoStart = false;
+      enableTun = true;
+      ephemeral = true;
+      privateNetwork = true;
+      localAddress = "10.2.0.1";
+      hostAddress = "10.2.0.2";
+      config = _: let
+        backup_path = "/var/backup/postgresql";
+      in {
+        system.stateVersion = "23.05";
+
+        services.openssh.enable = true;
+
+        users = {
+          groups.beta = {};
+          users = {
+            root.hashedPassword = "!"; # disable root login
+            beta = {
+              isNormalUser = true;
+              createHome = true;
+              group = "beta";
+            };
+          };
+        };
+
+        time.timeZone = "Europe/Berlin";
+
+        networking.interfaces = {
+          eth0 = {
+            useDHCP = false;
+            ipv4.addresses = [
+              {
+                address = "192.168.6.1";
+                prefixLength = 23;
+              }
+            ];
+            ipv6.addresses = [];
+          };
+        };
+
+        networking.firewall = {
+          enable = true;
+          allowPing = true;
+          allowedTCPPorts = [5432];
+        };
+
+        services.postgresql = {
+          enable = true;
+          enableTCPIP = true;
+          package = pkgs.postgresql;
+          dataDir = "/var/db/postgresql";
+          authentication = ''
+            host selfoss selfoss 192.168.6.2/32 trust
+          '';
+          initialScript = builtins.toFile "pg_initial_script" ''
+            CREATE ROLE selfoss LOGIN CREATEDB;
+            CREATE DATABASE selfoss OWNER selfoss;
+          '';
+        };
+
+        systemd.services.postgresql.preStart = ''
+          if [ ! -d ${backup_path} ]; then
+            mkdir -p ${backup_path}
+            chown postgres ${backup_path}
+          fi
+        '';
+
+        systemd.services.postgresql-dump = {
+          path = with pkgs; [postgresql gzip];
+          serviceConfig = {
+            User = "root";
+          };
+          script = let
+            db_list_command = "psql -l -t -A |cut -d'|' -f 1 |grep -v -e template0 -e template1 -e 'root=CT'";
+          in ''
+            ${db_list_command}
+            for db in `${db_list_command}`; do
+              echo "Dumping $db"
+              pg_dump --format directory --file ${backup_path}/$db $db
+            done
+            echo "Dumping all in one gzip"
+            pg_dumpall |gzip > ${backup_path}/complete_dump.sql.gz
+          '';
+          startAt = "daily";
+        };
+      };
+    };
+  };
+}
--- a/nyx/modules/core/common/system/containers/default.nix
+++ b/nyx/modules/core/common/system/containers/default.nix
@ -0,0 +1,11 @@
+_: {
+  # this imports all container directories unconditionally, regardless of whether or not
+  # they are included in containers.enabledContainers option definition
+  # however, as a safeguard, we are required to check if a container is actually meant to be enabled
+  # so each container does it's own "builtins.elem ..." bullshit before evaluating the container
+  # configuration - hacky? yes. working? also yes.
+  imports = [
+    ./alpha # sandbox
+    ./beta # postgresql
+  ];
+}